http://www.wired.com/news/technology/0,72581-0.html By Kim Zetter Jan, 31, 2007 David Thomas' entree to online crime came through the conventional world of offline crime. He was born to a Texas oil family, but this circumstance did little to grease his way through life. His parents divorced when he was four, and his father, a geologist and oil prospector, walked out of his life and died destitute in 1987, leaving Thomas with nothing more than a small oil royalty on a barren tract of Texas land. Left to his own devices, Thomas gravitated to trouble. At 14, he stole a car -- his first felony; by 30 he'd been arrested several times for check fraud, forgery and burglary. In the 1980s, it looked like things were turning around for him after he married, had kids and caught the computing wave, launching a business building PCs. But his climb up from crime didn't last long. In 1993 he was working for a Texas company contracted to install electronic key-card systems in Doubletree hotels when Thomas thought his employer was mistreating Doubletree and convinced the hotel to give him the $250,000-a-year contract instead. He was sure it would lead to other contracts. But he'd also just bought a new home in a gated community and needed money for the mortgage. So he bought cheap parts and overcharged Doubletree to get quick cash -- a bad choice made worse by the fact that the components were faulty. He worked overtime to install the first system in Doubletree's Kansas City hotel then turned his phone off to rest. As luck had it, those were the days President Clinton's advance team were in town and staying at the hotel. When the key system failed, they were locked out of their rooms. Thomas turned his phone on a few days later to a series of shrill messages from the hotel manager. "Where are you? The computers are crashed, what are we going to do?!" Then: "You bastard! You son of a bitch! You'll never work in this town again!" Thomas lost his house and marriage, and over the next decade alternated between legitimate and criminal work, none of it very successful. He got a job installing databases, then got fired when the company discovered he was on probation for check fraud. Then he smuggled marijuana across the Mexican border. After that more check fraud followed. In 1998, at 40, he met Bridget Trevino on an IRC channel -- she was 25 and living with her mother. They crisscrossed the country for a year, living on money from relatives and forged checks. It was the perfect match. "We never argued. We both liked the same exact kind of life -- you know, quiet, sedate, white-picket fence," he says with no hint of irony. Their vehicle broke down in the Midwest in November 1999, and two weeks later Thomas got a phone call, and a rare lucky break. The Texas land his father left him turned out to have oil and gas reserves beneath it. Big royalty checks started rolling in -- first $2,000 a month, then $6,000 and $8,000. Thomas vowed never to return to crime, and for a year and a half the vow stuck. Then the oil flow slowed, and the checks dropped back to $2,000 then $1,500. Fearing the well was about to run dry, he sold his royalties on Energynet.com, an auction site where the wealthy traded oil and gas royalties, and got $70,000 -- enough for a down payment on a ranch house. But after six months the money and house were gone. "I never thought things would go south on me like they did. At that point I was bitter," he says. He turned to his old standby, check fraud; but with outstanding warrants, he needed a new identity. That's how he found Counterfeit Library, a British website where vendors sold "novelty" IDs -- fake IDs that were the stock-in-trade of identity thieves. The site was "total nirvana for a criminal," Thomas says, and a revelation. Thomas had used fake IDs before, but they wouldn't stand up to scrutiny in bright light. Counterfeit Library IDs, by contrast, were genius, with holograms and magnetic stripes. For $150 you could buy any ID you wanted -- military, federal employee, even the FBI or Secret Service. A little more would get you the whole "rebirth package": birth certificate, driver's license, passport, Social Security card, employee badge (name your dream job), even utility bills to establish proof of residency. There was also a service called PhantomInfo, which consisted of a script that tapped into the computers of the ChoicePoint data broker. For $29 a month you could send unlimited e-mails to phantominfo@private containing the names of victims whose identity you wanted to steal; the program would search ChoicePoint's database and reply with the victim's Social Security number and current address. "Today, it's just normal, everyday stuff," Thomas says. "But back then it was the first that we had seen of that kind." This was the start of something big. A small number of carders had long exchanged stolen identity information and credit card numbers on electronic bulletin boards and IRC channels. But websites like Counterfeit Library launched a whole new era of white-collar crime, lowering the entrance barrier for those who never would have found such information otherwise, and creating a global market for trading in large amounts of hacked data. For the first time, crooks could specialize in criminal niches, and market that expertise to thousands of collaborators across borders. In addition to fake IDs, Counterfeit Library had forums where members traded in special deals. But to participate in the best deals you had to be a senior member, and to be a senior member you had to have 1,000 posts to your name. So, adopting the online nickname "El Mariachi," Thomas set out to make 30 posts a day, aiming for senior status in five weeks. Thomas wrote quality content that got him noticed. He wrote tutorials on bank fraud -- "$30,000 on a $3,000 Investment" and "Payroll Checks for Fun and Profit" -- as well as long, introspective pieces about a hard life lived and lessons learned. The piece that got him the most attention was a solemn meditation on karmic retribution, which he wrote after he and Trevino found the windows of their Cadillac vandalized while they were out passing bad checks. "We were out doing wrong things," he says, "and it was our time to pay the price." He developed a following on the boards among older members who considered him a fellow traveler on the hard-luck path, and younger ones who were glad to get a fatherly ear in the quiet hours after midnight. The positive feedback was a drug to Thomas. He loved leaving the weak David behind and taking on a new persona. Where David Thomas was insecure, El Mariachi was confident and worldly. Where David was unsuccessful at crime, El was a master con man. On the boards, all his neuroses seemed to disappear. "El is the key to the strength that I have," Thomas says. "I know it sounds psychotic . . . but that is the boards. The characters are built around people who have low self-esteem, and they're looking on the boards for whatever they're missing in life." But Counterfeit Library was soon supplanted by a new and vigorous type of online criminal marketplace, led by the arrival of the Eastern European fraud merchants. Eastern Europe, particularly Russia, Ukraine and Romania, has become a wellspring of internet crime in recent years -- a result of rampant corruption, economic decline and too many young hackers with sophisticated skills and a dearth of legitimate opportunity. (See sidebar, "Tracking the Russians" [1]). Organized crime mobs from these countries have joined forces with hackers and become adept at crafting and carrying out online attacks of varying sophistication: from simple phishing ruses to active database intrusions. "Because organized crime is so well-entrenched there, and tolerated by authorities to some extent, they're the one who are moving into it most aggressively," says James Lewis, a senior fellow at the Center for Strategic and International Studies. It's only natural that the bank-card system would draw their attention. "It was the Russians who ... brought plastic online," Thomas says. "They had manufacturing facilities to manufacture credit card plastic and put data on it, and guys on the English side were like, 'Whoa!'" The "Russians" included two twenty-something Ukrainians named Dmitry Golubov and Pavel Chistov who, according to law enforcement officials, joined with 150 other Eastern European criminals in convening a summit at an Odessa restaurant in the spring of 2001. The result was CarderPlanet, a highly organized online carding and money-laundering emporium that set the standard for all carding sites that followed. According to Thomas, Golubov, aka "Script," [2] was a spammer who realized the potential for carding when he saw how easily people sent their credit card numbers through e-mail to purchase the products he hawked. His group of cohorts paid hackers $1,000 a day and more to crack bank and card-processing databases to steal credit card numbers, which they sold in "dumps" of hundreds of numbers online. They set up botnets to spam out phishing lures, and even created a makeshift factory for manufacturing blank plastic cards with magnetic stripes and holograms. When Russian authorities eventually raided their workshop [3] in June 2003, they found 8,000 counterfeit credit cards, according to an article in Pravda. CarderPlanet's how-to tutorials and message boards became a daily must-read for criminals looking to make their mark in the burgeoning field of cybercrime. As one Russian carder noted in a message on the site: "Some people read 'Kommersant', others 'Pravda,' but we -- Planet." "They were advancing crime by leaps and bounds," Thomas says. "It was a 24/7 operation that never slept." Where the Russians went, everyone else followed. Although CarderPlanet was initially exclusive to Eastern Europeans, the site later added an English-speaking forum to attract partners in the United States and Britain who could cash out ATM cards and run drop addresses for stolen goods. The site eventually amassed 7,000 members, according to authorities, about 450 of whom overlapped with an increasingly popular U.S. site called Shadowcrew. "When Shadowcrew first came up and people made a $5,000 score, people were like 'Wow, you're big time,'" Thomas says. "But later on ... guys were making $100,000 a day." A former Irish carder who used the nick "ITR" told Wired News in an e-mail that the amount of cash he pulled in from his carding days was, at times, hard to keep up with. When asked how much he stole, he replied, "Above the national average, and with some decent investment life is good." Thomas, of course, wanted in on the action. It wasn't long before he hooked up with a Ukrainian man named "Big Buyer," one of the top Eastern European carders, whose nick derived from his penchant for maxing out stolen credit card numbers with big-ticket items, such as $30,000 watches. "If he had $50 left on the card, he'd go find another item to max out the card," Thomas says. [4] Thomas went to Seattle where he began laundering money and receiving and selling merchandise for Big Buyer. But carding wasn't his ultimate goal. Thomas had bigger plans in mind. He was devising a scheme to defraud traders at Energynet.com, the auction site where he'd sold his father's oil rights. He needed money from the Big Buyer operations to establish himself as a player at Energynet, where he planned to sell $5 million in oil and gas royalties that didn't exist. The "Rockford op," as he dubbed it in honor of James Garner's character in The Rockford Files, would be his final scam, the swan song every grifter dreams of that would allow him to retire from a 30-year mediocre career in crime that he no longer had the stomach to pursue. But it was not to happen. Thomas was on the carding sites only five months before he and Taylor were arrested in Issaquah, Washington, and he began his new role for the FBI. "I'd like to screw this guy, but it's not my field," a carder using the name "BoBaBc" wrote on CarderPlanet a few months after Thomas started work for the FBI. "If you can help me set it up we'll split it." Some aspects of online fraud are seasonal -- in December, consumers are likely to receive malicious software crafted as electronic Christmas cards, for example. In 2004, the upcoming national election was looming large in America's consciousness, and cybercrooks like BoBaBc were looking for ways to cash in. BoBaBc told Thomas he'd planted Trojan horses on the home computer of Darryl Tattrie, then a comptroller for the Kentucky Democratic Party. The hacker found numerous financial files on the computer, among them a spreadsheet listing donations to the party coffers, a list of bank account numbers with the names of people authorized to use them, and even a digital copy of Tattrie's signature for printing checks. The fraudster had a plan to funnel $250,000 from the party's campaign fund to an offshore bank account, and frame Tattrie for embezzlement. But he was a newbie to wire transfers and needed Thomas' help. Thomas tutored him for several days, and helped him compose a fax to the party's bank. But, of course, he was working both sides. When BoBaBc's anonymous cell phone broke, Thomas sent him a new one -- courtesy of the FBI. Thomas assumes the phone was under surveillance. It's unclear how BoBaBc's scheme played out in the end. Around the time that BoBaBc intended to send the fax, he disappeared from the boards, and Thomas never heard from him again. Tattrie, who now works for the Arizona Democratic Party, said that authorities spoke with him about the hack, but wouldn't elaborate on what agency was involved or what was said. It appears, though, that BoBaBc never made good on his embezzlement threat. Officials at the Kentucky Democratic Party and the party's bank say they never received the wire transfer request. [5] BoBaBc wasn't completely idle, though. Around the time that he was purportedly planning his attack on the party's coffers, Tattrie returned from a trip to find that someone had transferred $6,000 from his personal bank account. His ISP had also canceled his internet service on grounds that someone had been using his account to distribute spam while he was away. The Kentucky Democratic Party wasn't the only political group targeted by carders that year. As the presidential campaign heated up, there were other schemes surfacing. One carder using the nicks "Mesh" and "Nasa" decided to phish the Ralph Nader campaign site [6]. According to chat logs of his discussions with Thomas, he paid a coder to create a phony Nader campaign page that charged the donor's credit card and, cleverly, delivered the funds to the campaign, while simultaneously sending the card info to him. When the scammer told Thomas what he was doing, Thomas joked that he should phish the Bush campaign site, too. So the scammer complied. These were heady times for Thomas. He applied himself more diligently to his new job for the FBI than he ever had to other jobs, or even to his life of crime. In some ways it was the best of both worlds for him. He could spend his days immersed in the activities of the community he loved, scheming to commit crimes, without having to worry about being arrested. Of course, he didn't make money from his capers, but the thrill of being back in the game as El Mariachi and being in the know about what was happening on the boards made up for that. Then in December 2003, Thomas' online war with other carders crossed a line and he found himself banned from some of the sites. That's when he decided to launch TheGrifters.net and become his own site administrator. The ban turned out to be a blessing: As the owner of his site, he now had unfettered access to all communication on the board. On the surface, it seems remarkable that the FBI would finance and run an operation like TheGrifters, which facilitated crimes that inflicted very real financial losses against innocent consumers, merchants and banks. But Department of Justice guidelines (.pdf) [8] allow the bureau to run long-term "criminal intelligence" investigations like the one Thomas describes, with no specific arrests or prosecutions anticipated, provided the target is a terrorist group or a "racketeering enterprise." The latter could clearly describe the community that immediately began gathering at TheGrifters. Thomas had barely launched the site when he made his biggest catch, a Russian spammer who used the nick "King Arthur" and was one of the pioneers of phishing attacks. King kept a fairly low profile on the boards and avoided much of the drama and fighting that American carders were becoming known for. He had a much-coveted program for generating bank algorithms that would authenticate debit and credit cards to an ATM [9]. What he didn't have was language skills. He wanted to steal money from customers of Minneapolis-based U.S. Bank, which boasts nearly 2,500 branches and 5,000 ATMs in 24 states. But he needed a native English speaker to author a phishing e-mail that could fool Americans into relinquishing their account and PIN numbers. That's where Thomas came in. U.S. Bank was targeted because some of its accounts allowed $2,000 or more in daily ATM withdrawals. A thief could withdraw two grand from an account at 5:59 p.m. one day and get another two grand at 6:01 p.m. -- the time when U.S. Bank ATMs reset themselves for the next business day. Butler approved the operation, Thomas says, because phishing attacks were just coming onto the scene and he wanted to see how they operated. Thomas also thinks Butler was hungry for a big scam. "(Butler) never wanted to work small cases," Thomas says. "He said, 'Look, if I get involved in an investigation or doing an intelligence deal and it's all simple time, I'd be working small time for the rest of my life.... I'm only doing the big stuff.'" Today, according to some published reports, phishing attacks average 17,000 a month, with no sign of abating. But in early 2004, most people hadn't heard of phishing yet and were easily fooled by the scams. So when King sent out his phishing attack, it wasn't long before account and PIN numbers were rolling in, some with balances exceeding $100,000. Thomas was in charge of finding cashers for those accounts who wouldn't "rip." It was a common problem with ATM cashers. "You send a guy out to an ATM, he's going to be honest the first time or two out, and then he's going to start dipping in," Thomas says. It was easy to claim that a card number hadn't worked, then pocket the cash. That is, unless you worked with Russian carders, who often claimed to have online access to the compromised bank accounts and knew exactly how much money a casher withdrew. Thomas sent the numbers to a guy who used the nick "Myth," who coded them to blank cards and doled them out to 25 cashers across the country. Their job was to move from city to city hitting ATMs. Among the cashers were "Decep" and "John Dillinger," a carder who described his cashing activities [10] to Wired News earlier this year before he was arrested [11]. Decep claimed to pull $11,600 from nine cards one night. Myth got $90,000 in a few days, according to Thomas [12]. The cashers wired 80 percent of their take to King in Russia through Western Union, while Thomas tracked card numbers and amounts on a spreadsheet and kept copies of ATM receipts, which the cashers were required to scan [13]. As far as Thomas was concerned, it was all about keeping King happy. If Thomas got labeled a ripper, King and others wouldn't do business with him, and then he'd lose his value to the FBI. Every six months Thomas says the FBI rebudgeted for his surveillance work, and he was always worried that Butler would pull the plug if he didn't prove his worth. "The thing you have to fight, that you're always fighting, is the diminishing value curve," Thomas says. "If you did really good last month and this month you're shit, you're already a diminishing value." Throughout all of this, Thomas actively participated in King Arthur's schemes without FBI interference, despite the impact on banks and consumers. Although federal law requires that banks absorb such fraud losses, consumers are still left with the burden of reporting missing funds in a timely manner and with proving that the transactions are fraudulent -- which can be a time-consuming process. While the cashers were draining bank accounts, U.S. Bank, one of the financial institutions hit by King, was telling reporters that no customers lost money [14]. Thomas doesn't know how much the King operation brought in altogether because King had other cashers working other banks for him in the United States and Europe, such as a 24-year-old Texan named Douglas Cade Havard, who authorities said absconded with millions before being arrested with a partner in the United Kingdom in 2004. British officials said that Havard and a 25-year-old Scot named Lee Elwood stole about $11.4 million over 18 months. They were caught only after an accomplice was arrested in Austin, Texas, trying to board a plane carrying $30,000 in $20 bills [15]. As for King's operation with Thomas, the Russian was so happy with the success of the U.S. Bank phish that Thomas authored for him, that he decided to phish the Federal Trade Commission as well. He said he hated President Bush and wanted to attack a government financial institution. Thomas explained that it wasn't the FTC he wanted, but the Federal Deposit Insurance Corporation. The phish, which Thomas helped write, went to 40 million addresses in 24 hours, according to Thomas. The mail told recipients that the FDIC had suspended federal deposit insurance on their bank account due to suspicious activity that violated the Patriot Act. The consumer could lift the ban at the FDIC's IDVerify page (a bogus site hosted on a server in Pakistan) by providing their debit card and PIN number for verification. Failure to comply could result in a visit from the Department of Homeland Security. But, tipped off to the phishing attack, the FDIC issued a special public alert [16] about the scam, and few people fell for it. The agency also phoned the Pakistani hosting company and persuaded it to take down the fake site [17]. Things grew more harried with the King Arthur schemes, when money that the U.S. Bank cashers wired to Russia suddenly stopped going through. Thomas says the FBI allowed about $17,000 to find its way to Eastern Europe before blocking the rest [18]. King wasn't pleased. He'd left Shadowcrew after proceeds from cashing operations based there stopped flowing to him. Now the same thing was happening at TheGrifters. He wanted the cashers to return to Western Union and recover the blocked funds, which in some cases meant sending cashers back to cities they'd left. "It was a ... nightmare," says Thomas. "You knew there (wasn't) going to be any recovery ... because the feds had locked that money up." Then Myth started ripping. In Oregon, he had 100 bank accounts to cash out one day, but claimed most of them didn't work [19]. Things were getting out of hand. As King pressed Thomas to come through with the missing Western Union cash, one of Thomas' enemies at Shadowcrew discovered that King was doing business with Thomas and sent a copy of his old Issaquah police report to the Russian. Butler had had enough. "(Butler) calls me up and says, 'Shut it down, we're not doing it anymore,'" Thomas says. And that was the end of the King operation. It wouldn't be long before it was the end of TheGrifters, CarderPlanet and Shadowcrew, too. -==- [1] http://www.wired.com/news/technology/0,72605-0.html [2] http://mosnews.com/news/2005/07/21/ukronlinefraud.shtml [3] http://english.pravda.ru/accidents/21/96/383/14751_cards.html [4] http://www.wired.com/news/technology/0,72581-2.html?tw=wn_story_page_next2#fdesc1 [5] http://www.wired.com/news/technology/0,72581-2.html?tw=wn_story_page_next2#fdesc2 [6] http://www.wired.com/news/technology/0,72581-2.html?tw=wn_story_page_next2#fdesc3 [7] http://www.wired.com/news/technology/0,72581-2.html?tw=wn_story_page_next2# [8] http://www.usdoj.gov/olp/generalcrimes2.pdf [9] http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc4 [10] http://www.wired.com/news/culture/0,71479-0.html [11] http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc5 [12] http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc6 [13] http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc7 [14] http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc8 [15] http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc9 [16] http://www.fdic.gov/news/news/SpecialAlert/2004/sa0504.html [17] http://www.wired.com/news/technology/0,72581-4.html?tw=wn_story_page_next4#fdesc10 [18] http://www.wired.com/news/technology/0,72581-4.html?tw=wn_story_page_next4#fdesc11 [19] http://www.wired.com/news/technology/0,72581-4.html?tw=wn_story_page_next4#fdesc12 _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Feb 01 2007 - 03:53:14 PST